from the perhaps-more-the-latter... dept

Rich Kulawiec points us to the news of Dillon Beresford of NSS Labs recently discovering (and revealing) that the Siemens control systems targeted by Stuxnet have massive security holes, including a hardcoded username/password combo ("basisk" for both, in case you were wondering). As Kulawiec noted:

We have been treated, over the past few years, to an increasing chorus of hysteria and hype about "cyberwar". Some of that has come from governments eager to justify their increasing invasion of citizen privacy. Some of that has come from government contractors, eager to score more $100M do-nothing contracts. And since Stuxnet has come to light, it's been held up repeatedly as an example of the extreme cleverness of attackers.

But while Stuxnet is pretty darn clever, that's not the real problem. The real problem is that the incompetent morons at Siemens allowed this piece of crap to get out the door and into production environments. Thus the storyline isn't so much about the devious and subtle craft of Stuxnet's creators, as it is about the jaw-dropping negligence of Siemens: how could their QA miss this? How could they allow such a rudimentary, obvious mistake to pass?

We don't need to spend billions (or trillions) on elaborate cyberwar initiatives. We need to stop making fundamental mistakes. We need to stop doing the stupid things that we KNOW are stupid.

But that kind of stuff isn't quite as sexy as declaring "cyberwar" and asking for billions of dollars from the government.

from the frightening dept

We've discussed quite a few times how consultants, lobbyists, contractors and government agencies who stand to benefit have been overhyping the threats associated with digital infrastructure by calling it a "cyberwar." The reality is that it's much more about espionage, vandalism and creating significant nuisances, rather than something on the level of a "war." Yet, with the White House's latest "cyberspace" strategy report, it warns that if certain attacks via the internet are seen as hostile, we might just bomb you in response:

“Certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners,” says the document. “When warranted, the United States will respond to hostile acts in cyberspace as we would any other threat to our country.”

In other words, there might not have been a war when this all started, but by the end of it, the US government will make damn sure that there's a war going on in the traditional sense. Comforting.

from the nice-to-finally-see-this dept

We've spent plenty of time over the past year or so discussing how the concept of a "cyberwar" has been blown totally out of proportion, often by those seeking to get rich off of the fear. We've been ridiculed for this, often getting messages from people saying that we don't know what's really going on. However, now the OECD, a rather respectable organization, has stepped up and said the same thing: the concept of a "cyberwar" is totally overhyped, and while there may be random computer-based hacks and attacks here and there, to label it as a "war" is way beyond reasonable.

Attempts to quantify the potential damage that hi-tech attacks could cause and develop appropriate responses are not helped by the hyperbolic language used to describe these incidents, said the OECD report.

"We don't help ourselves using 'cyberwar' to describe espionage or hacktivist blockading or defacing of websites, as recently seen in reaction to WikiLeaks," said Professor Peter Sommer, visiting professor at LSE who co-wrote the report with Dr Ian Brown of the Oxford Internet Institute.

"Nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure," added Prof Sommer.

Part of the problem is that people (again, often with questionable agendas) like to lump all sorts of very different activities under the single heading of "cyberwar" to make it sound like a bigger issue than it really is (and, presumably, to get more money). It's nice to see more level-headed analysis coming out of groups like the OECD. Now, if only governments will actually listen...

from the overhyping dept

The guy behind the Pentagon Papers, Daniel Ellsberg, recently tweeted a link to my blog post about how some believed the US government was trying to make the case that Wikileaks was a part of a "cyberwar" because it helped further the agenda of certain government officials and defense contractors to use FUD about "cyberwar" to give the government more technological snooping powers and make those contractors tons of money supplying the tools. Of course, this is ridiculous. Wikileaks is no "cyberwar."

But Ellsberg's quote on the matter sums it up so eloquently, that we thought it was worthwhile to repeat here:

If @wikileaks is a "cyberwar," then what were the Pentagon Papers, a wood pulp war?

Indeed. Wikileaks is no more a cyberwar issue than the Pentagon Papers was a wood pulp war. The infatuation with adding "cyber" to the front of things just to pretend it's somehow "different" is really misleading.

Update: As was pointed out in the comments, I am a moron with this particular story. Ellsberg was apparently quoting my own original statement asking if the Pentagon Papers were a wood pulp war. I honestly did not remember writing those words (as you my know, I write an awful lot...). But it explains why the words resonated. Though, of course, now that makes me look egotistical. Point taken: this post shows I'm an egotistical moron. I still like the quote though.

from the cyberlull dept

For all the recent talk of "cyberwar," with particular emphasis on the idea that hackers in foreign countries were bombarding US gov't and military institutions with constant internet attacks, it now turns out that "incidents of malicious cyber activity" against the Pentagon have been on the decline this year. There still have been plenty of attempts to breach the network, but it's a much lower number than in the past. And that seems to contradict what Pentagon officials have been saying.

Deputy Defense Secretary William Lynn, who's been leading the charge for why the Pentagon should be in charge of cybersecurity, recently claimed that the frequency was increasing exponentially. Except that's not true, apparently. The NSA, who is the main group within the Defense Department that wants to handle cybersecurity, apparently had its boss specifically (falsely) claim that he was "alarmed by the increase, especially this year." Of course, there are still plenty of attacks -- no one is denying that, but it's even more evidence that the folks looking to use this to gain more power are clearly exaggerating what's going on.

from the not-cool dept

We've discussed multiple times the massive unsubstantiated hype around the concept of "cyberwar", which mostly has been led by former government officials who are seriously cashing in on the hype. Yet, every time we mention this, we get people insisting that we just don't know the "real story" and the "threat" is really big. But we keep waiting for some evidence to support that theory.

Seymour Hersh, over at the New Yorker, who tends to be the most connected reporter around when it comes to getting the inside scoop on what's happening in the US military, has a (typically) long and worth reading analysis of the whole "cyberwar" concept that effectively agrees with exactly what we've been saying all along: it's totally hyped up beyond reality, in an effort to build the reputations of a few people and to cash in on a trend. People on all sides of the issue all seemed to point out to Hersh that "cyberwar" is blowing things out of proportion. There's plenty of espionage going on, but that's quite different (and a lot less sexy when it comes to trying to make money).

But what's even scarier than the people seeking to get money is the way the Defense Department has been using this to try to basically take control of the whole "cyber defense" aspect. Back in August, we discussed how there was this ongoing fight between the Defense Department (military) and Homeland Security (civilian) to manage the "cyber" threats, with the Defense Department basically using its experience in being incompetent to argue that it knows better.

And, as you look at the details, the Defense Department isn't just looking at "cyber defense," it keeps on making the argument that part of "cyber defense" is also "securing" private networks and usage. Jerry Brito, over at the Tech Liberation Front, just had a post questioning whether or not the military should have a role in civilian cybersecurity, and Hersh's long article gives plenty of reasons why it absolutely should not.

Multiple people note that one of the best ways to make various networks and systems more secure from espionage attacks is to increase (or even mandate) widespread encryption. That would certainly make things more difficult for espionage. But the NSA (part of the Defense Department) doesn't want that because that makes it much harder to spy on people. In fact, the very same NSA has been pushing the feds to put in place a mandatory backdoor to any encryption so that it can keep on spying.

But, of course, any such backdoor can (and absolutely will) be used by those trying to spy from elsewhere as well. So when you put the NSA in charge of "cyber security," it seems to focus on using that mandate to actually improve its ability to spy on everyone (including on domestic soil), rather than actually doing stuff related to actual "cyber security." We've had various pieces of similar stories over the past few months, but Hersh does a great job pulling it all together in a way that makes it pretty clear that this whole thing is a huge boondoggle for most of the players. The ex-gov't officials screaming "cyberwar" are making tons of cash, while the Defense Department and the NSA are using all that hype to gain more control over the internet and the ability to spy on people -- but not necessarily to make anyone more secure.

from the espionage-is-not-war dept

We've been covering all the hyped up claims of cyberwar, often made by law enforcement officials or defense contractors who clearly benefit from keeping people fearful. However, evidence of such claims is always lacking, beyond some vague "trust us, it's bad!" But, all we've seen so far is that people are definitely trying to hack into each other's systems, but that's hardly "war." However, it looks like this hype isn't just happening in the US. A UK official is getting in on the act too, claiming that cyberwar attacks are already happening. But, of course, he's again pretty vague on details. At best he says that the internet has "increased the risk of disruption to infrastructure such as power stations and financial services."

Of course, right before I had read that article, I had been reading an article where the reporter spoke to an energy grid expert, who called such claims "a bunch of hooey." The guy, Seth Blumsack, along with a couple of colleagues, had been hearing all these stories about how "at risk" the electric grid was, so they went looking for the evidence. After looking at the claims and predictions, they realized that those claiming the electrical grid was at risk didn't actually appear to understand the physics of how electric grids actually work.

Blumsack, Hines and Cotilla-Sanchez decided to contrast the performance of a topological model with one based on actual physics - specifically on Ohm's and Kirchoff's Laws governing the flow of electricity in the real world. They tried out both kinds of model on an accurate representation of the North American Eastern Interconnect, the largest and one of the most trouble-prone portions of the US grid, using real-world data from a test case generated in 2005.

The three engineers say that the physics-driven model was much closer to reality, and that this verifies what physics models show. The results showed that in fact it is major grid components through which a lot of power flows - big generating stations and massive transformers - which are the main points of vulnerability, not the minor installations scattered across the country.

It isn't so much that a minor event on a minor line or installation can't crash the network: such things do happen. But in general there have to be huge numbers of such minor events before one of them happens to hit the miracle weak point and bring everything down. It would be an impossible task for terrorists or other malefactors to know in advance just where and when a minor pinprick could cause massive effects.

Part of the problem, of course, is the tremendous secrecy around it. Jim Harper does a good job making the case that much of this program should be public, and blames Congress for falling prey to "cyberwar" hype in not forcing the details of this program to be publicly scrutinized:

If there is to be a federal government role in securing the Internet from cyberattacks, there is no good reason why its main components should not be publicly known and openly debated. Small parts, like threat signatures and such--the unique characteristics of new attacks--might be appropriately kept secret, but no favor is done to any potential attackers by revealing that there is a system for detecting their activities.

A cybersecurity effort that is not tested by public oversight will be weaker than ones that are scrutinzed by private-sector experts, academics, security vendors, and watchdog groups.

Benign intentions do not control future results, and governmental surveillance of the Internet for "cybersecurity" purposes may warp over time to surveillance for ideological and political purposes.

Harper's points are worth repeating. He's not saying saying that the government shouldn't be looking for potential threats or vulnerabilities, but that many of the details should be public. It's fine to keep some aspects secret, but keeping the entire program secret inevitably means that it will be less effective. On top of that, even if it's officially just for "assessment" at this time, we've all seen how government programs morph and change over time (especially to political will) -- especially when it comes to monitoring. Or do we need to remind everyone how often the feds have admitted to violating the law with wiretaps?

from the good-work dept

For some time now, we've been pointing out how the new claims of cyberwar threats from politicians and defense contractors was massively overhyped. We keep getting comments on those posts along the lines of "the real threat is secret, so you have to trust the government," which isn't exactly comforting. Sometimes we get comments saying "you're not a security expert, so you don't know the real threat." At which point we ask people to explain the real threat and they always come up short. With military leaders getting together to once again hype the still unexplained "cyberwar threat" security expert Bruce Schneier has written a great piece detailing the lack of an actual threat.

He points out, correctly, that cybersecurity is important, but elevating it to a bogus "war" is dangerous:

We surely need to improve our cybersecurity. But words have meaning, and metaphors matter. There's a power struggle going on for control of our nation's cybersecurity strategy, and the NSA and DoD are winning. If we frame the debate in terms of war, if we accept the military's expansive cyberspace definition of "war," we feed our fears.

We reinforce the notion that we're helpless -- what person or organization can defend itself in a war? -- and others need to protect us. We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime.

Instead, he notes, almost all of the known "examples" of cyberwar are either cybercrime or espionage -- which are not the same thing. As he points out:

If, on the other hand, we use the more measured language of cybercrime, we change the debate. Crime fighting requires both resolve and resources, but it's done within the context of normal life. We willingly give our police extraordinary powers of investigation and arrest, but we temper these powers with a judicial system and legal protections for citizens.

This is an important point. No one is saying that online security isn't important. We're just questioning whether it's really a "war" that requires the military to be heavily involved or if there are better options. It's great to see some in the security field start to speak up on this subject as well.

from the how-this-works dept

Earlier this year, we noted that government contractor Booz Allen Hamilton had been making the rounds ringing up the moral panic over "cyberterrorism," without any significant evidence of it actually existing in any real form. The key to all of this was the hiring of former director of national intelligence Michael McConnell as a VP, whose main job seems to be scaring the press into repeating Booz Allen fear mongering talking points and attributing them to him without even bothering to mention that he's employed by a company that is making a ton of money from this fear mongering. And, boy, has Booz Allen raked in the money. Since the fear mongering began, the firm has secured at least hundreds of millions of dollars in contracts.

Of course, that's good for the firm, but what about its investors? Well, now that it's scared the government and the public into handing over all this cash, it looks like its investors want to cash out. The company has now announced plans for an IPO so they can walk off with the cash, built off of scaring the public over a supposed threat for which they have little actual evidence. What a deal!